Technology · Analysis
GitHub AI Agent Flaw Leaks Private Code
Security researchers tricked GitHub's AI agent into leaking private repository contents through a single crafted issue—no credentials, coding skills, or system access required.
Stake & Paper Editorial TeamJuly 8, 2026
Security researchers at Noma Labs discovered a prompt injection vulnerability in GitHub's Agentic Workflows that allows attackers to trick AI agents into pulling data from private repositories and leaking it as a public comment
, according to
a disclosure published July 7, 2026
.
The attacker needs no coding skills, access, or credentials—only the ability to open an issue in a public repository and wait
.
Noma Labs named the vulnerability GitLost
.
GitHub launched Agentic Workflows in technical preview on February 13, 2026, allowing teams to automate repository tasks using AI agents that run within GitHub Actions
.
The workflows allow an AI agent powered by Claude or GitHub Copilot to autonomously execute tasks in GitHub Actions
.
How a Single Issue Became an Attack Vector
The workflows are vulnerable to a critical prompt injection flaw that causes GitHub's AI agent to retrieve data from a private repo by crafting a GitHub issue in a public repository belonging to the same organization
.
The attacker simply hides the malicious commands in plain English in the issue body, and the agent will then post this data as a public comment on the issue in the public repository
.
Noma researchers crafted a GitHub issue that looked completely innocent, consisting of a plausible-looking request from a VP Sales. After a GitHub automation assigned the issue, an event-triggered workflow caused the agent to fetch the contents of README.md from both the poc (public) and testlocal (private) repositories. The GitHub agent then posted them as a public comment on the issue in the public repository, which anyone could access and read
.
Noma reported that in its test, a one-word change was enough to slip past GitHub's guardrails. Prefixing the malicious instruction with "Additionally" led the model to treat it as a follow-on task, not something to refuse, and the guardrail let it through
, according to The Hacker News.
Why Traditional Security Models Don't Apply
The root cause is prompt injection—a familiar vulnerability in agentic AI systems where the agent treats the wrong content as a trusted source of instructions and allows itself to be misdirected or misused. This happens when the system fails to maintain a strict trust boundary between system-level directives and untrusted user data
.
"This isn't prompt injection in the abstract—this is GitHub shipping agent permissions before shipping agent security," said Sanjay Dubey, a security analyst quoted by CSO Online. "The vulnerability exposes that AI agents operate on a service account permission model, not a user permission model. That's an architectural assumption security teams made before considering LLMs as an attack vector"
.
Sasi Levi, Security Research Lead at Noma Security, told The Hacker News that "earlier prompt injection examples were largely about manipulating what an agent said. GitLost is about manipulating what an agent does with its permissions"
.
The Blast Radius Problem
GitLost should be of concern to enterprises, which typically have both public and private repositories connected to their Git org. "An autonomous agent should not be a risk for silent data exfiltration and secrets exposure," Levi said. "Before a security team gives a pass to any autonomous agent, they need to ensure they understand all possible connections, access and paths, potential blast radius of the agent's access, and permissions"
, The Register reported.
Exposure is limited to organizations that have enabled the preview and wired an agent to read untrusted public input while holding read access to private repositories and are able to post in public. What an attacker could pull depends on what the agent's token can see, from proprietary source code to internal keys, design documents, or CI/CD secrets
.
GitLost is the latest in a run of the same kind of attack. A flaw in Anthropic's Claude Code GitHub Action let a single malicious issue push the agent into leaking secrets and seizing write access to a repository. Orca Security's RoguePilot used a hidden prompt in a GitHub issue to make Copilot leak a repository's privileged token
, according to The Hacker News.
No Fix, Only Mitigation
As is the case with most prompt-injection issues plaguing AI agents and systems, the vulnerability can't be completely fixed in code. So the Noma researchers proposed documentation instead—but that didn't happen, either
.
"The proposed fix was a documentation callout encouraging users to adopt different strategies to their API key sharing between their repos," Levi told The Register. As of Tuesday, GitHub had not implemented any such documentation
.
Researchers and the vendors themselves keep filing the result under "architectural limitation," and Levi's point is why the label sticks: in natural language, there is no clean line between data and instruction the way there is in SQL, so the fix leans on architecture rather than filtering the injection away, on isolation, scoped credentials, and staged review
.
GitHub told Noma it updated the documentation creating the flaw, and the last time the researchers checked, it was not there
, according to Dark Reading. The Register reached out to GitHub for comment and did not receive a response.
What Changed This Week
A critical vulnerability in GitHub's AI-powered automation exposed private repository contents through prompt injection attacks that require no credentials or technical skills. The flaw, disclosed July 7 by Noma Security, affects GitHub Agentic Workflows launched in February 2026. Researchers bypassed GitHub's guardrails with a single word change, demonstrating that AI agent security remains an architectural challenge rather than a patchable bug. GitHub has not implemented the proposed documentation fixes as of July 8.
What to Watch
Prompt injection attacks have become, to agentic AI, what SQL injections were to web applications: a systematic, category-wide vulnerability class that requires the same systematic strategies and defenses. Organizations should never treat user-controlled content as trusted instruction input for an AI agent, scope permissions to the minimum required, and restrict what any agent can post publicly
.
According to a 2026 survey, 88% of organizations reported confirmed or suspected AI agent security incidents in the last year. In healthcare, that number is 92.7%
.
Gartner projects that 40% of enterprise applications will include task-specific AI agents by the end of 2026, up from less than 5% today
. Watch for additional disclosures of similar vulnerabilities across AI coding agents and whether GitHub implements stronger architectural controls for Agentic Workflows as the feature moves from preview to general availability.
Reporting based on coverage from The Register, Noma Security, The Hacker News, CSO Online, Dark Reading, SiliconANGLE, July 6-8, 2026.